test_win_lgpo.py 52 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132
  1. import logging
  2. import os
  3. import re
  4. import salt.utils.files
  5. import salt.utils.platform
  6. import salt.utils.win_reg as reg
  7. from tests.support.case import ModuleCase
  8. from tests.support.helpers import destructiveTest, random_string
  9. from tests.support.runtests import RUNTIME_VARS
  10. from tests.support.unit import skipIf
  11. log = logging.getLogger(__name__)
  12. @skipIf(not salt.utils.platform.is_windows(), "windows test only")
  13. class WinLgpoTest(ModuleCase):
  14. """
  15. Tests for salt.modules.win_lgpo
  16. """
  17. osrelease = None
  18. def _testRegistryPolicy(
  19. self,
  20. policy_name,
  21. policy_config,
  22. registry_value_hive,
  23. registry_value_path,
  24. registry_value_vname,
  25. expected_value_data,
  26. expected_value_type=None,
  27. expect_value_exists=True,
  28. ):
  29. """
  30. Takes a registry based policy name and config and validates that the
  31. expected registry value exists and has the correct data
  32. policy_name
  33. name of the registry based policy to configure
  34. policy_config
  35. the configuration of the policy
  36. registry_value_hive
  37. the registry hive that the policy registry path is in
  38. registry_value_path
  39. the registry value path that the policy updates
  40. registry_value_vname
  41. the registry value name
  42. expected_value_data
  43. the expected data that the value will contain
  44. expected_value_type
  45. the registry value type (i.e. REG_SZ, REG_DWORD, etc)
  46. expect_value_exists
  47. define if it expected for a registry value to exist
  48. some policies when set to 'Not Defined' delete the registry value
  49. """
  50. ret = self.run_function(
  51. "lgpo.set_computer_policy", (policy_name, policy_config)
  52. )
  53. self.assertTrue(ret)
  54. val = reg.read_value(
  55. registry_value_hive, registry_value_path, registry_value_vname
  56. )
  57. if expect_value_exists:
  58. self.assertTrue(
  59. val["success"],
  60. msg="Failed to obtain the registry data for policy {}".format(
  61. policy_name
  62. ),
  63. )
  64. self.assertEqual(
  65. val["vdata"],
  66. expected_value_data,
  67. "The registry value data {} does not match the expected value {} for policy {}".format(
  68. val["vdata"], expected_value_data, policy_name
  69. ),
  70. )
  71. if expected_value_type:
  72. self.assertEqual(
  73. val["vtype"],
  74. expected_value_type,
  75. "The registry value type {} does not match the expected type {} for policy {}".format(
  76. val["vtype"], expected_value_type, policy_name
  77. ),
  78. )
  79. def _testSeceditPolicy(
  80. self,
  81. policy_name,
  82. policy_config,
  83. expected_regexes,
  84. cumulative_rights_assignments=True,
  85. ):
  86. """
  87. Takes a secedit policy name and config and validates that the expected
  88. output is returned from secedit
  89. policy_name
  90. name of the secedit policy to configure
  91. policy_config
  92. the configuration of the policy
  93. expected_regexes
  94. the expected regexes to be found in the secedit output file
  95. """
  96. ret = self.run_function(
  97. "lgpo.set_computer_policy",
  98. (policy_name, policy_config),
  99. cumulative_rights_assignments=cumulative_rights_assignments,
  100. )
  101. self.assertTrue(ret)
  102. secedit_output_file = os.path.join(
  103. RUNTIME_VARS.TMP, random_string("secedit-output-")
  104. )
  105. secedit_output = self.run_function(
  106. "cmd.run", (), cmd="secedit /export /cfg {}".format(secedit_output_file)
  107. )
  108. secedit_file_content = None
  109. if secedit_output:
  110. with salt.utils.files.fopen(
  111. secedit_output_file, encoding="utf-16"
  112. ) as _reader:
  113. secedit_file_content = _reader.read()
  114. for expected_regex in expected_regexes:
  115. match = re.search(
  116. expected_regex, secedit_file_content, re.IGNORECASE | re.MULTILINE
  117. )
  118. self.assertIsNotNone(
  119. match,
  120. 'Failed validating policy "{}" configuration, regex "{}" not found in secedit output'.format(
  121. policy_name, expected_regex
  122. ),
  123. )
  124. def _testAdmxPolicy(
  125. self,
  126. policy_name,
  127. policy_config,
  128. expected_regexes,
  129. assert_true=True,
  130. policy_class="Machine",
  131. ):
  132. """
  133. Takes a ADMX policy name and config and validates that the expected
  134. output is returned from lgpo looking at the Registry.pol file
  135. policy_name
  136. name of the ADMX policy to configure
  137. policy_config
  138. the configuration of the policy
  139. expected_regexes
  140. the expected regexes to be found in the lgpo parse output
  141. assert_true
  142. set to false if expecting the module run to fail
  143. policy_class
  144. the policy class this policy belongs to, either Machine or User
  145. """
  146. lgpo_function = "set_computer_policy"
  147. lgpo_class = "/m"
  148. lgpo_folder = "Machine"
  149. lgpo_top_level = "Computer Configuration"
  150. if policy_class.lower() == "user":
  151. lgpo_function = "set_user_policy"
  152. lgpo_class = "/u"
  153. lgpo_folder = "User"
  154. lgpo_top_level = "User Configuration"
  155. ret = self.run_function(
  156. "lgpo.{}".format(lgpo_function), (policy_name, policy_config)
  157. )
  158. log.debug("lgpo set_computer_policy ret == %s", ret)
  159. cmd = [
  160. "lgpo.exe",
  161. "/parse",
  162. lgpo_class,
  163. r"c:\Windows\System32\GroupPolicy\{}\Registry.pol".format(lgpo_folder),
  164. ]
  165. if assert_true:
  166. self.assertTrue(ret)
  167. lgpo_output = self.run_function("cmd.run", (), cmd=" ".join(cmd))
  168. # validate that the lgpo output doesn't say the format is invalid
  169. self.assertIsNone(
  170. re.search(r"Invalid file format\.", lgpo_output, re.IGNORECASE),
  171. msg="Failed validating Registry.pol file format",
  172. )
  173. # validate that the regexes we expect are in the output
  174. for expected_regex in expected_regexes:
  175. match = re.search(expected_regex, lgpo_output, re.IGNORECASE)
  176. self.assertIsNotNone(
  177. match,
  178. msg='Failed validating policy "{}" configuration, regex '
  179. '"{}" not found in lgpo output:\n{}'
  180. "".format(policy_name, expected_regex, lgpo_output),
  181. )
  182. # validate the lgpo also sees the right setting
  183. this_policy_info = self.run_function(
  184. "lgpo.get_policy_info",
  185. (),
  186. policy_name=policy_name,
  187. policy_class=policy_class,
  188. )
  189. ret = self.run_function(
  190. "lgpo.get", (), policy_class=policy_class, return_not_configured=True
  191. )
  192. self.assertTrue(
  193. lgpo_top_level in ret, msg="lgpo did not return the expected entries"
  194. )
  195. found_policy = False
  196. output_policy_name = None
  197. if "policy_aliases" in this_policy_info:
  198. for policy_alias in this_policy_info["policy_aliases"]:
  199. if policy_alias in ret[lgpo_top_level]:
  200. found_policy = True
  201. output_policy_name = policy_alias
  202. break
  203. else:
  204. found_policy = policy_name in ret[lgpo_top_level]
  205. self.assertTrue(
  206. found_policy, msg="The configured policy is not in the lgpo.get output"
  207. )
  208. if isinstance(policy_config, list):
  209. for this_item in policy_config:
  210. self.assertTrue(
  211. this_item in ret[lgpo_top_level][output_policy_name],
  212. msg="Item {} not found in policy configuration".format(
  213. this_item
  214. ),
  215. )
  216. elif isinstance(policy_config, dict):
  217. for this_item, this_val in policy_config.items():
  218. item_correct = False
  219. actual_val = None
  220. if (
  221. "policy_elements" in this_policy_info
  222. and this_policy_info["policy_elements"]
  223. ):
  224. for policy_element in this_policy_info["policy_elements"]:
  225. if item_correct:
  226. break
  227. if (
  228. "element_aliases" in policy_element
  229. and policy_element["element_aliases"]
  230. ):
  231. if this_item in policy_element["element_aliases"]:
  232. for element_alias in policy_element[
  233. "element_aliases"
  234. ]:
  235. if (
  236. element_alias
  237. in ret[lgpo_top_level][output_policy_name]
  238. ):
  239. actual_val = ret[lgpo_top_level][
  240. output_policy_name
  241. ][element_alias]
  242. if (
  243. ret[lgpo_top_level][output_policy_name][
  244. element_alias
  245. ]
  246. == this_val
  247. ):
  248. item_correct = True
  249. break
  250. self.assertTrue(
  251. item_correct,
  252. msg='Item "{}" does not have the expected value of "{}"{}'.format(
  253. this_item,
  254. this_val,
  255. ' value found: "{}"'.format(actual_val)
  256. if actual_val
  257. else "",
  258. ),
  259. )
  260. else:
  261. self.assertEqual(
  262. ret[lgpo_top_level][output_policy_name],
  263. policy_config,
  264. msg="lgpo did not return the expected value for the policy",
  265. )
  266. else:
  267. # expecting it to fail
  268. self.assertNotEqual(ret, True)
  269. def runTest(self):
  270. """
  271. runTest method
  272. """
  273. @classmethod
  274. def setUpClass(cls):
  275. """
  276. class setup function, only runs once
  277. downloads and extracts the lgpo.exe tool into c:/windows/system32
  278. for use in validating the registry.pol files
  279. gets osrelease grain for tests that are only applicable to certain
  280. windows versions
  281. """
  282. osrelease_grains = cls().run_function("grains.item", ["osrelease"])
  283. if "osrelease" in osrelease_grains:
  284. cls.osrelease = osrelease_grains["osrelease"]
  285. else:
  286. log.debug("Unable to get osrelease grain")
  287. if not os.path.exists(r"c:\windows\system32\lgpo.exe"):
  288. log.debug("lgpo.exe does not exist, attempting to download/extract")
  289. ret = cls().run_function(
  290. "state.single",
  291. ("archive.extracted", r"c:\windows\system32"),
  292. source="https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip",
  293. archive_format="zip",
  294. source_hash="sha256=6ffb6416366652993c992280e29faea3507b5b5aa661c33ba1af31f48acea9c4",
  295. enforce_toplevel=False,
  296. )
  297. log.debug("ret from archive.unzip == %s", ret)
  298. @destructiveTest
  299. def test_set_user_policy_point_and_print_restrictions(self):
  300. """
  301. Test setting/unsetting/changing the PointAndPrint_Restrictions user policy
  302. """
  303. # Disable Point and Print Restrictions
  304. self._testAdmxPolicy(
  305. r"Control Panel\Printers\Point and Print Restrictions",
  306. "Disabled",
  307. [
  308. r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*Restricted[\s]*DWORD:0",
  309. r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*TrustedServers[\s]*DELETE",
  310. r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*ServerList[\s]*DELETE",
  311. r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*InForest[\s]*DELETE",
  312. r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*NoWarningNoElevationOnInstall[\s]*DELETE",
  313. r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*UpdatePromptSettings[\s]*DELETE",
  314. ],
  315. policy_class="User",
  316. )
  317. # Enable Point and Print Restrictions
  318. self._testAdmxPolicy(
  319. r"Point and Print Restrictions",
  320. {
  321. "Users can only point and print to these servers": True,
  322. "Enter fully qualified server names separated by semicolons": "fakeserver1;fakeserver2",
  323. "Users can only point and print to machines in their forest": True,
  324. "When installing drivers for a new connection": "Show warning and elevation prompt",
  325. "When updating drivers for an existing connection": "Show warning only",
  326. },
  327. [
  328. r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*Restricted[\s]*DWORD:1",
  329. r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*TrustedServers[\s]*DWORD:1",
  330. r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*ServerList[\s]*SZ:fakeserver1;fakeserver2",
  331. r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*InForest[\s]*DWORD:1",
  332. r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*NoWarningNoElevationOnInstall[\s]*DWORD:0",
  333. r"User[\s]*Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint[\s]*UpdatePromptSettings[\s]*DWORD:1",
  334. ],
  335. policy_class="User",
  336. )
  337. # set Point and Print Restrictions to 'Not Configured'
  338. self._testAdmxPolicy(
  339. r"Control Panel\Printers\Point and Print Restrictions",
  340. "Not Configured",
  341. [
  342. r"; Source file: c:\\windows\\system32\\grouppolicy\\user\\registry.pol[\s]*; PARSING COMPLETED."
  343. ],
  344. policy_class="User",
  345. )
  346. @destructiveTest
  347. def test_set_computer_policy_NTP_Client(self):
  348. """
  349. Test setting/unsetting/changing NTP Client policies
  350. """
  351. # Disable Configure NTP Client
  352. self._testAdmxPolicy(
  353. r"System\Windows Time Service\Time Providers\Configure Windows NTP Client",
  354. "Disabled",
  355. [
  356. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\Parameters[\s]*NtpServer[\s]*DELETE",
  357. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\Parameters[\s]*Type[\s]*DELETE",
  358. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*CrossSiteSyncFlags[\s]*DELETE",
  359. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*ResolvePeerBackoffMinutes[\s]*DELETE",
  360. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*ResolvePeerBackoffMaxTimes[\s]*DELETE",
  361. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*SpecialPollInterval[\s]*DELETE",
  362. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*EventLogFlags[\s]*DELETE",
  363. ],
  364. )
  365. # Enable Configure NTP Client
  366. self._testAdmxPolicy(
  367. r"System\Windows Time Service\Time Providers\Configure Windows NTP Client",
  368. {
  369. "NtpServer": "time.windows.com,0x9",
  370. "Type": "NT5DS",
  371. "CrossSiteSyncFlags": 2,
  372. "ResolvePeerBackoffMinutes": 15,
  373. "ResolvePeerBackoffMaxTimes": 7,
  374. "W32TIME_SpecialPollInterval": 3600,
  375. "W32TIME_NtpClientEventLogFlags": 0,
  376. },
  377. [
  378. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\Parameters[\s]*NtpServer[\s]*SZ:time.windows.com,0x9",
  379. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\Parameters[\s]*Type[\s]*SZ:NT5DS",
  380. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*CrossSiteSyncFlags[\s]*DWORD:2",
  381. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*ResolvePeerBackoffMinutes[\s]*DWORD:15",
  382. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*ResolvePeerBackoffMaxTimes[\s]*DWORD:7",
  383. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*SpecialPollInterval[\s]*DWORD:3600",
  384. r"Computer[\s]*Software\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient[\s]*EventLogFlags[\s]*DWORD:0",
  385. ],
  386. )
  387. # set Configure NTP Client to 'Not Configured'
  388. self._testAdmxPolicy(
  389. r"System\Windows Time Service\Time Providers\Configure Windows NTP Client",
  390. "Not Configured",
  391. [
  392. r"; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
  393. ],
  394. )
  395. @destructiveTest
  396. def test_set_computer_policy_RA_Unsolicit(self):
  397. """
  398. Test setting/unsetting/changing RA_Unsolicit policy
  399. """
  400. # Disable RA_Unsolicit
  401. log.debug("Attempting to disable RA_Unsolicit")
  402. self._testAdmxPolicy(
  403. "RA_Unsolicit",
  404. "Disabled",
  405. [
  406. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicited[\s]*DWORD:0",
  407. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicitedFullControl[\s]*DELETE",
  408. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*\*[\s]*DELETEALLVALUES",
  409. ],
  410. )
  411. # configure RA_Unsolicit
  412. log.debug("Attempting to configure RA_Unsolicit")
  413. self._testAdmxPolicy(
  414. "RA_Unsolicit",
  415. {
  416. "Permit remote control of this computer": "Allow helpers to remotely control the computer",
  417. "Helpers": ["administrators", "user1"],
  418. },
  419. [
  420. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*user1[\s]*SZ:user1[\s]*",
  421. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*administrators[\s]*SZ:administrators[\s]*",
  422. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicited[\s]*DWORD:1",
  423. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicitedFullControl[\s]*DWORD:1",
  424. ],
  425. )
  426. # Not Configure RA_Unsolicit
  427. log.debug("Attempting to set RA_Unsolicit to Not Configured")
  428. self._testAdmxPolicy(
  429. "RA_Unsolicit",
  430. "Not Configured",
  431. [
  432. r"; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
  433. ],
  434. )
  435. @destructiveTest
  436. def test_set_computer_policy_Pol_HardenedPaths(self):
  437. # Disable Pol_HardenedPaths
  438. log.debug("Attempting to disable Pol_HardenedPaths")
  439. self._testAdmxPolicy(
  440. "Pol_HardenedPaths",
  441. "Disabled",
  442. [
  443. r"Computer[\s]*Software\\policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths[\s]*\*[\s]*DELETEALLVALUES"
  444. ],
  445. )
  446. # Configure Pol_HardenedPaths
  447. log.debug("Attempting to configure Pol_HardenedPaths")
  448. self._testAdmxPolicy(
  449. "Pol_HardenedPaths",
  450. {
  451. "Hardened UNC Paths": {
  452. r"\\*\NETLOGON": "RequireMutualAuthentication=1, RequireIntegrity=1",
  453. r"\\*\SYSVOL": "RequireMutualAuthentication=1, RequireIntegrity=1",
  454. }
  455. },
  456. [
  457. r"Computer[\s]*Software\\policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths[\s]*\\\\\*\\NETLOGON[\s]*SZ:RequireMutualAuthentication=1, RequireIntegrity=1[\s]*",
  458. r"Computer[\s]*Software\\policies\\Microsoft\\Windows\\NetworkProvider\\HardenedPaths[\s]*\\\\\*\\SYSVOL[\s]*SZ:RequireMutualAuthentication=1, RequireIntegrity=1[\s]*",
  459. ],
  460. )
  461. # Not Configure Pol_HardenedPaths
  462. log.debug("Attempting to set Pol_HardenedPaths to Not Configured")
  463. self._testAdmxPolicy(
  464. "Pol_HardenedPaths",
  465. "Not Configured",
  466. [
  467. r"; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
  468. ],
  469. )
  470. @destructiveTest
  471. def test_set_computer_policy_WindowsUpdate(self):
  472. """
  473. Test setting/unsetting/changing WindowsUpdate policy
  474. """
  475. # Configure Automatic Updates has different options in different builds
  476. # and releases of Windows, so we'll get the elements and add them if
  477. # they are present. Newer elements will need to be added manually as
  478. # they are released by Microsoft
  479. result = self.run_function(
  480. "lgpo.get_policy_info",
  481. ["Configure Automatic Updates"],
  482. policy_class="machine",
  483. )
  484. the_policy = {}
  485. the_policy_check_enabled = [
  486. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*NoAutoUpdate[\s]*DWORD:0",
  487. ]
  488. the_policy_check_disabled = [
  489. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*NoAutoUpdate[\s]*DWORD:1",
  490. ]
  491. for item in result["policy_elements"]:
  492. if "Configure automatic updating" in item["element_aliases"]:
  493. the_policy.update(
  494. {
  495. "Configure automatic updating": "4 - Auto download and schedule the install",
  496. }
  497. )
  498. the_policy_check_enabled.append(
  499. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AUOptions[\s]*DWORD:4",
  500. )
  501. the_policy_check_disabled.append(
  502. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AUOptions[\s]*DELETE",
  503. )
  504. elif "Install during automatic maintenance" in item["element_aliases"]:
  505. the_policy.update({"Install during automatic maintenance": True})
  506. the_policy_check_enabled.append(
  507. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AutomaticMaintenanceEnabled[\s]*DWORD:1\s*",
  508. )
  509. the_policy_check_disabled.append(
  510. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AutomaticMaintenanceEnabled[\s]*DELETE",
  511. )
  512. elif "Scheduled install day" in item["element_aliases"]:
  513. the_policy.update({"Scheduled install day": "7 - Every Saturday"})
  514. the_policy_check_enabled.append(
  515. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallDay[\s]*DWORD:7",
  516. )
  517. the_policy_check_disabled.append(
  518. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallDay[\s]*DELETE",
  519. )
  520. elif "Scheduled install time" in item["element_aliases"]:
  521. the_policy.update({"Scheduled install time": "17:00"})
  522. the_policy_check_enabled.append(
  523. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallTime[\s]*DWORD:17",
  524. )
  525. the_policy_check_disabled.append(
  526. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallTime[\s]*DELETE",
  527. )
  528. elif (
  529. "Install updates for other Microsoft products"
  530. in item["element_aliases"]
  531. ):
  532. the_policy.update(
  533. {"Install updates for other Microsoft products": True}
  534. )
  535. the_policy_check_enabled.append(
  536. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AllowMUUpdateService[\s]*DWORD:1\s*"
  537. )
  538. the_policy_check_disabled.append(
  539. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AllowMUUpdateService[\s]*DELETE"
  540. )
  541. elif "AutoUpdateSchEveryWeek" in item["element_aliases"]:
  542. the_policy.update({"AutoUpdateSchEveryWeek": True})
  543. the_policy_check_enabled.append(
  544. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallEveryWeek[\s]*DWORD:1\s*"
  545. )
  546. the_policy_check_disabled.append(
  547. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallEveryWeek[\s]*DELETE"
  548. )
  549. elif "First week of the month" in item["element_aliases"]:
  550. the_policy.update({"First week of the month": True})
  551. the_policy_check_enabled.append(
  552. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallFirstWeek[\s]*DWORD:1\s*"
  553. )
  554. the_policy_check_disabled.append(
  555. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallFirstWeek[\s]*DELETE"
  556. )
  557. elif "Second week of the month" in item["element_aliases"]:
  558. the_policy.update({"Second week of the month": True})
  559. the_policy_check_enabled.append(
  560. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallSecondWeek[\s]*DWORD:1\s*"
  561. )
  562. the_policy_check_disabled.append(
  563. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallSecondWeek[\s]*DELETE"
  564. )
  565. elif "Third week of the month" in item["element_aliases"]:
  566. the_policy.update({"Third week of the month": True})
  567. the_policy_check_enabled.append(
  568. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallThirdWeek[\s]*DWORD:1\s*"
  569. )
  570. the_policy_check_disabled.append(
  571. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallThirdWeek[\s]*DELETE"
  572. )
  573. elif "Fourth week of the month" in item["element_aliases"]:
  574. the_policy.update({"Fourth week of the month": True})
  575. the_policy_check_enabled.append(
  576. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallFourthWeek[\s]*DWORD:1\s*"
  577. )
  578. the_policy_check_disabled.append(
  579. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallFourthWeek[\s]*DELETE"
  580. )
  581. # enable Automatic Updates
  582. self._testAdmxPolicy(
  583. r"Windows Components\Windows Update\Configure Automatic Updates",
  584. the_policy,
  585. the_policy_check_enabled,
  586. )
  587. # disable Configure Automatic Updates
  588. self._testAdmxPolicy(
  589. r"Windows Components\Windows Update\Configure Automatic Updates",
  590. "Disabled",
  591. the_policy_check_disabled,
  592. )
  593. # set Configure Automatic Updates to 'Not Configured'
  594. self._testAdmxPolicy(
  595. r"Windows Components\Windows Update\Configure Automatic Updates",
  596. "Not Configured",
  597. [
  598. r"; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
  599. ],
  600. )
  601. @destructiveTest
  602. def test_set_computer_policy_ClipboardRedirection(self):
  603. """
  604. Test setting/unsetting/changing ClipboardRedirection policy
  605. """
  606. # Enable/Disable/Not Configured "Do not allow Clipboard redirection"
  607. self._testAdmxPolicy(
  608. r"Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection",
  609. "Enabled",
  610. [
  611. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:1"
  612. ],
  613. )
  614. self._testAdmxPolicy(
  615. r"Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection",
  616. "Disabled",
  617. [
  618. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:0"
  619. ],
  620. )
  621. self._testAdmxPolicy(
  622. r"Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection",
  623. "Not Configured",
  624. [
  625. r"; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
  626. ],
  627. )
  628. @destructiveTest
  629. def test_set_computer_policy_LockoutDuration(self):
  630. """
  631. Test setting LockoutDuration
  632. """
  633. # For LockoutDuration to be meaningful, first configure
  634. # LockoutThreshold
  635. self._testSeceditPolicy("LockoutThreshold", 3, [r"^LockoutBadCount = 3"])
  636. # Next set the LockoutDuration non-zero value, as this is required
  637. # before setting LockoutWindow
  638. self._testSeceditPolicy("LockoutDuration", 60, [r"^LockoutDuration = 60"])
  639. # Now set LockoutWindow to a valid value <= LockoutDuration. If this
  640. # is not set, then the LockoutDuration zero value is ignored by the
  641. # Windows API (leading to a false sense of accomplishment)
  642. self._testSeceditPolicy("LockoutWindow", 60, [r"^ResetLockoutCount = 60"])
  643. # set LockoutDuration zero value, the secedit zero value is -1
  644. self._testSeceditPolicy("LockoutDuration", 0, [r"^LockoutDuration = -1"])
  645. @destructiveTest
  646. def test_set_computer_policy_GuestAccountStatus(self):
  647. """
  648. Test setting/unsetting/changing GuestAccountStatus
  649. """
  650. # disable GuestAccountStatus
  651. self._testSeceditPolicy(
  652. "GuestAccountStatus", "Disabled", [r"^EnableGuestAccount = 0"]
  653. )
  654. # enable GuestAccountStatus
  655. self._testSeceditPolicy(
  656. "GuestAccountStatus", "Enabled", [r"^EnableGuestAccount = 1"]
  657. )
  658. @destructiveTest
  659. def test_set_computer_policy_PasswordComplexity(self):
  660. """
  661. Test setting/unsetting/changing PasswordComplexity
  662. """
  663. # disable PasswordComplexity
  664. self._testSeceditPolicy(
  665. "Password must meet complexity requirements",
  666. "Disabled",
  667. [r"^PasswordComplexity = 0"],
  668. )
  669. # enable PasswordComplexity
  670. self._testSeceditPolicy(
  671. "PasswordComplexity", "Enabled", [r"^PasswordComplexity = 1"]
  672. )
  673. @destructiveTest
  674. def test_set_computer_policy_PasswordLen(self):
  675. """
  676. Test setting/unsetting/changing PasswordLength
  677. """
  678. # set Minimum password length
  679. self._testSeceditPolicy(
  680. "Minimum password length", 10, [r"^MinimumPasswordLength = 10"]
  681. )
  682. # set MinimumPasswordLength = 0
  683. self._testSeceditPolicy("MinPasswordLen", 0, [r"^MinimumPasswordLength = 0"])
  684. @destructiveTest
  685. def test_set_computer_policy_SeNetworkLogonRight(self):
  686. """
  687. Test setting/unsetting/changing PasswordLength
  688. """
  689. # set SeNetworkLogonRight to only Administrators
  690. self._testSeceditPolicy(
  691. "Access this computer from the network",
  692. ["Administrators"],
  693. [r"^SeNetworkLogonRight = \*S-1-5-32-544"],
  694. cumulative_rights_assignments=False,
  695. )
  696. # set SeNetworkLogonRight back to the default
  697. self._testSeceditPolicy(
  698. "SeNetworkLogonRight",
  699. ["Everyone", "Administrators", "Users", "Backup Operators"],
  700. [
  701. r"^SeNetworkLogonRight = \*S-1-1-0,\*S-1-5-32-544,\*S-1-5-32-545,\*S-1-5-32-551"
  702. ],
  703. )
  704. @destructiveTest
  705. def test_set_computer_policy_multipleAdmxPolicies(self):
  706. """
  707. Tests setting several ADMX policies in succession and validating the configuration w/lgop
  708. """
  709. # set one policy
  710. self._testAdmxPolicy(
  711. r"Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection",
  712. "Disabled",
  713. [
  714. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:0"
  715. ],
  716. )
  717. # set another policy and make sure both this policy and the previous are okay
  718. self._testAdmxPolicy(
  719. "RA_Unsolicit",
  720. {
  721. "Permit remote control of this computer": "Allow helpers to remotely control the computer",
  722. "Helpers": ["administrators", "user1"],
  723. },
  724. [
  725. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:0",
  726. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*user1[\s]*SZ:user1[\s]*",
  727. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*administrators[\s]*SZ:administrators[\s]*",
  728. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicited[\s]*DWORD:1",
  729. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicitedFullControl[\s]*DWORD:1",
  730. ],
  731. )
  732. # Configure Automatic Updates and validate everything is still okay
  733. self._testAdmxPolicy(
  734. r"Windows Components\Windows Update\Configure Automatic Updates",
  735. "Disabled",
  736. [
  737. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fDisableClip[\s]*DWORD:0",
  738. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*user1[\s]*SZ:user1[\s]*",
  739. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services\\RAUnsolicit[\s]*administrators[\s]*SZ:administrators[\s]*",
  740. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicited[\s]*DWORD:1",
  741. r"Computer[\s]*Software\\policies\\Microsoft\\Windows NT\\Terminal Services[\s]*fAllowUnsolicitedFullControl[\s]*DWORD:1",
  742. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*NoAutoUpdate[\s]*DWORD:1",
  743. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AUOptions[\s]*DELETE",
  744. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AutomaticMaintenanceEnabled[\s]*DELETE",
  745. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallDay[\s]*DELETE",
  746. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*ScheduledInstallTime[\s]*DELETE",
  747. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU[\s]*AllowMUUpdateService[\s]*DELETE",
  748. ],
  749. )
  750. @destructiveTest
  751. def test_set_computer_policy_DisableDomainCreds(self):
  752. """
  753. Tests Enable/Disable of DisableDomainCreds policy
  754. """
  755. self._testRegistryPolicy(
  756. policy_name="DisableDomainCreds",
  757. policy_config="Enabled",
  758. registry_value_hive="HKEY_LOCAL_MACHINE",
  759. registry_value_path="SYSTEM\\CurrentControlSet\\Control\\Lsa",
  760. registry_value_vname="DisableDomainCreds",
  761. expected_value_data=1,
  762. )
  763. self._testRegistryPolicy(
  764. policy_name="Network access: Do not allow storage of passwords and credentials for network authentication",
  765. policy_config="Disabled",
  766. registry_value_hive="HKEY_LOCAL_MACHINE",
  767. registry_value_path="SYSTEM\\CurrentControlSet\\Control\\Lsa",
  768. registry_value_vname="DisableDomainCreds",
  769. expected_value_data=0,
  770. )
  771. @destructiveTest
  772. def test_set_computer_policy_ForceGuest(self):
  773. """
  774. Tests changing ForceGuest policy
  775. """
  776. self._testRegistryPolicy(
  777. policy_name="ForceGuest",
  778. policy_config="Guest only - local users authenticate as Guest",
  779. registry_value_hive="HKEY_LOCAL_MACHINE",
  780. registry_value_path="SYSTEM\\CurrentControlSet\\Control\\Lsa",
  781. registry_value_vname="ForceGuest",
  782. expected_value_data=1,
  783. )
  784. self._testRegistryPolicy(
  785. policy_name="Network access: Sharing and security model for local accounts",
  786. policy_config="Classic - local users authenticate as themselves",
  787. registry_value_hive="HKEY_LOCAL_MACHINE",
  788. registry_value_path="SYSTEM\\CurrentControlSet\\Control\\Lsa",
  789. registry_value_vname="ForceGuest",
  790. expected_value_data=0,
  791. )
  792. @destructiveTest
  793. def test_set_computer_policy_DisableUXWUAccess(self):
  794. """
  795. Tests changing DisableUXWUAccess
  796. #50079 shows using the 'Remove access to use all Windows Update features' failed
  797. Policy only exists on 2016
  798. """
  799. valid_osreleases = ["2016Server"]
  800. if self.osrelease not in valid_osreleases:
  801. self.skipTest(
  802. "DisableUXWUAccess policy is only applicable if the osrelease grain is {}".format(
  803. " or ".join(valid_osreleases)
  804. )
  805. )
  806. else:
  807. self._testAdmxPolicy(
  808. r"DisableUXWUAccess",
  809. "Enabled",
  810. [
  811. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetDisableUXWUAccess[\s]*DWORD:1"
  812. ],
  813. )
  814. self._testAdmxPolicy(
  815. r"Remove access to use all Windows Update features",
  816. "Disabled",
  817. [
  818. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetDisableUXWUAccess[\s]*DWORD:0"
  819. ],
  820. )
  821. self._testAdmxPolicy(
  822. r"Windows Components\Windows Update\Remove access to use all Windows Update features",
  823. "Not Configured",
  824. [
  825. r"; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
  826. ],
  827. )
  828. @destructiveTest
  829. def test_set_computer_policy_Access_data_sources_across_domains(self):
  830. """
  831. Tests that a policy that has multiple names
  832. """
  833. self._testAdmxPolicy(
  834. r"Access data sources across domains", "Enabled", [], assert_true=False
  835. )
  836. self._testAdmxPolicy(
  837. r"Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Access data sources across domains",
  838. {"Access data sources across domains": "Prompt"},
  839. [
  840. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3[\s]*1406[\s]*DWORD:1"
  841. ],
  842. )
  843. self._testAdmxPolicy(
  844. r"Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Access data sources across domains",
  845. {"Access data sources across domains": "Enable"},
  846. [
  847. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3[\s]*1406[\s]*DWORD:0"
  848. ],
  849. )
  850. self._testAdmxPolicy(
  851. r"Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Access data sources across domains",
  852. "Disabled",
  853. [
  854. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3[\s]*1406[\s]*DELETE"
  855. ],
  856. )
  857. @destructiveTest
  858. def test_set_computer_policy_ActiveHours(self):
  859. """
  860. Test configuring the ActiveHours policy, #47784
  861. Only applies to 2016Server
  862. # activehours.sls
  863. active_hours_policy:
  864. lgpo.set:
  865. - computer_policy:
  866. 'ActiveHours':
  867. 'ActiveHoursStartTime': '8 AM'
  868. 'ActiveHoursEndTime': '7 PM'
  869. """
  870. valid_osreleases = ["2016Server"]
  871. if self.osrelease not in valid_osreleases:
  872. self.skipTest(
  873. "ActiveHours policy is only applicable if the osrelease grain is {}".format(
  874. " or ".join(valid_osreleases)
  875. )
  876. )
  877. else:
  878. self._testAdmxPolicy(
  879. r"ActiveHours",
  880. {"ActiveHoursStartTime": "8 AM", "ActiveHoursEndTime": "7 PM"},
  881. [
  882. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetActiveHours[\s]*DWORD:1",
  883. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursStart[\s]*DWORD:8",
  884. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursEnd[\s]*DWORD:19",
  885. ],
  886. )
  887. self._testAdmxPolicy(
  888. r"ActiveHours",
  889. {"ActiveHoursStartTime": "5 AM", "ActiveHoursEndTime": "10 PM"},
  890. [
  891. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetActiveHours[\s]*DWORD:1",
  892. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursStart[\s]*DWORD:5",
  893. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursEnd[\s]*DWORD:22",
  894. ],
  895. )
  896. self._testAdmxPolicy(
  897. "Turn off auto-restart for updates during active hours",
  898. "Disabled",
  899. [
  900. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*SetActiveHours[\s]*DWORD:0",
  901. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursStart[\s]*DELETE",
  902. r"Computer[\s]*Software\\Policies\\Microsoft\\Windows\\WindowsUpdate[\s]*ActiveHoursEnd[\s]*DELETE",
  903. ],
  904. )
  905. self._testAdmxPolicy(
  906. r"Windows Components\Windows Update\Turn off auto-restart for updates during active hours",
  907. "Not Configured",
  908. [
  909. r"; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
  910. ],
  911. )
  912. @destructiveTest
  913. def test_set_computer_policy_AllowTelemetry(self):
  914. """
  915. Tests that a the AllowTelemetry policy is applied correctly and that it
  916. doesn't appear in subsequent group policy states as having changed
  917. """
  918. valid_osreleases = ["10", "2016Server", "2019Server"]
  919. if self.osrelease not in valid_osreleases:
  920. self.skipTest(
  921. "Allow Telemetry policy is only applicable if the "
  922. "osrelease grain is {}".format(" or ".join(valid_osreleases))
  923. )
  924. else:
  925. self._testAdmxPolicy(
  926. "Allow Telemetry",
  927. {"AllowTelemetry": "1 - Basic"},
  928. [
  929. r"Software\\Policies\\Microsoft\\Windows\\DataCollection[\s]*AllowTelemetry[\s]*DWORD:1"
  930. ],
  931. assert_true=True,
  932. )
  933. # This policy does not exist on newer Windows builds
  934. result = self.run_function(
  935. "lgpo.get_policy_info",
  936. ["Disable pre-release features or settings"],
  937. policy_class="machine",
  938. )
  939. if result["policy_found"]:
  940. result = self.run_function(
  941. "state.single",
  942. ["lgpo.set"],
  943. name="state",
  944. computer_policy={
  945. "Disable pre-release features or settings": "Disabled"
  946. },
  947. )
  948. name = "lgpo_|-state_|-state_|-set"
  949. expected = {
  950. "new": {
  951. "Computer Configuration": {
  952. "Disable pre-release features or settings": "Disabled"
  953. }
  954. },
  955. "old": {
  956. "Computer Configuration": {
  957. "Disable pre-release features or settings": "Not Configured"
  958. }
  959. },
  960. }
  961. self.assertDictEqual(result[name]["changes"], expected)
  962. else:
  963. result = self.run_function(
  964. "lgpo.get_policy_info",
  965. ["Manage preview builds"],
  966. policy_class="machine",
  967. )
  968. if result["policy_found"]:
  969. result = self.run_function(
  970. "state.single",
  971. ["lgpo.set"],
  972. name="state",
  973. computer_policy={"Manage preview builds": "Disabled"},
  974. )
  975. name = "lgpo_|-state_|-state_|-set"
  976. expected = {
  977. "new": {
  978. "Computer Configuration": {
  979. "Manage preview builds": "Disabled"
  980. }
  981. },
  982. "old": {
  983. "Computer Configuration": {
  984. "Manage preview builds": "Not Configured"
  985. }
  986. },
  987. }
  988. self.assertDictEqual(result[name]["changes"], expected)
  989. @destructiveTest
  990. def test_set_computer_policy_ScRemoveOption(self):
  991. """
  992. Tests changing ScRemoveOption policy
  993. """
  994. self._testRegistryPolicy(
  995. "ScRemoveOption",
  996. "No Action",
  997. "HKEY_LOCAL_MACHINE",
  998. "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
  999. "ScRemoveOption",
  1000. "0",
  1001. "REG_SZ",
  1002. )
  1003. self._testRegistryPolicy(
  1004. "Interactive logon: Smart card removal behavior",
  1005. "Lock Workstation",
  1006. "HKEY_LOCAL_MACHINE",
  1007. "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
  1008. "ScRemoveOption",
  1009. "1",
  1010. "REG_SZ",
  1011. )
  1012. self._testRegistryPolicy(
  1013. "Interactive logon: Smart card removal behavior",
  1014. "Not Defined",
  1015. "HKEY_LOCAL_MACHINE",
  1016. "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
  1017. "ScRemoveOption",
  1018. None,
  1019. None,
  1020. False,
  1021. )
  1022. @destructiveTest
  1023. def test_set_sxs_servicing_policy(self):
  1024. """
  1025. Test setting/unsetting/changing sxs-servicing policy
  1026. """
  1027. # Disable sxs-servicing
  1028. log.debug("Attempting to disable sxs-servicing")
  1029. self._testAdmxPolicy(
  1030. "Specify settings for optional component installation and component repair",
  1031. "Disabled",
  1032. [
  1033. r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*LocalSourcePath[\s]*DELETE",
  1034. r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*UseWindowsUpdate[\s]*DELETE",
  1035. r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*RepairContentServerSource[\s]*DELETE",
  1036. ],
  1037. )
  1038. # configure sxs-servicing
  1039. log.debug("Attempting to enable sxs-servicing")
  1040. self._testAdmxPolicy(
  1041. "Specify settings for optional component installation and component repair",
  1042. {
  1043. "Alternate source file path": "",
  1044. "Never attempt to download payload from Windows Update": True,
  1045. "CheckBox_SidestepWSUS": False,
  1046. },
  1047. [
  1048. r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*LocalSourcePath[\s]*EXSZ:",
  1049. r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*UseWindowsUpdate[\s]*DWORD:2",
  1050. r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*RepairContentServerSource[\s]*DELETE",
  1051. ],
  1052. )
  1053. log.debug("Attempting to set different values on sxs-servicing")
  1054. self._testAdmxPolicy(
  1055. "Specify settings for optional component installation and component repair",
  1056. {
  1057. "Alternate source file path": r"\\some\fake\server",
  1058. "Never attempt to download payload from Windows Update": True,
  1059. "CheckBox_SidestepWSUS": False,
  1060. },
  1061. [
  1062. r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*LocalSourcePath[\s]*EXSZ:\\\\\\\\some\\\\fake\\\\server",
  1063. r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*UseWindowsUpdate[\s]*DWORD:2",
  1064. r"Computer[\s]*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Servicing[\s]*RepairContentServerSource[\s]*DELETE",
  1065. ],
  1066. )
  1067. # Not Configure sxs-servicing
  1068. log.debug("Attempting to set sxs-servicing to Not Configured")
  1069. self._testAdmxPolicy(
  1070. "Specify settings for optional component installation and component repair",
  1071. "Not Configured",
  1072. [
  1073. r"; Source file: c:\\windows\\system32\\grouppolicy\\machine\\registry.pol[\s]*; PARSING COMPLETED."
  1074. ],
  1075. )
  1076. def tearDown(self):
  1077. """
  1078. tearDown method, runs after each test
  1079. """
  1080. self.run_state(
  1081. "file.absent",
  1082. name="c:\\windows\\system32\\grouppolicy\\machine\\registry.pol",
  1083. )
  1084. self.run_state(
  1085. "file.absent", name="c:\\windows\\system32\\grouppolicy\\user\\registry.pol"
  1086. )